Analysis
-
max time kernel
63s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-01-2023 00:44
Static task
static1
Behavioral task
behavioral1
Sample
95ae8e32eb8635e7eabe14ffbfaa777b.dll
Resource
win7-20221111-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
95ae8e32eb8635e7eabe14ffbfaa777b.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
95ae8e32eb8635e7eabe14ffbfaa777b.dll
-
Size
5.0MB
-
MD5
95ae8e32eb8635e7eabe14ffbfaa777b
-
SHA1
d5872c3f694a9e23c0583c4ae3e5c59eab26c021
-
SHA256
fb648bfb485f910e065cc18778364a56be32044d1ac4729449f3cc28221b12e8
-
SHA512
053e31bb5d469a2c4b1c5ab658d87051168c8a0b8d55d1709bcc4c11faf16fd1617263c5c30c4c9bfb5b319ead6d2712fafebc5a40888f5a6b46d1eb6030335f
-
SSDEEP
49152:RnnMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1nPoBhz1aRxcSUDk36SAEdhv
Score
10/10
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 2 IoCs
pid Process 4724 mssecsvr.exe 4876 mssecsvr.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify\UserEnabledStartupOnce = "0" taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify\State = "0" taskmgr.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1496 vlc.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 4776 mspaint.exe 4776 mspaint.exe 2384 mspaint.exe 2384 mspaint.exe 4540 mspaint.exe 4540 mspaint.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1496 vlc.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3352 taskmgr.exe Token: SeSystemProfilePrivilege 3352 taskmgr.exe Token: SeCreateGlobalPrivilege 3352 taskmgr.exe Token: 33 3352 taskmgr.exe Token: SeIncBasePriorityPrivilege 3352 taskmgr.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 1496 vlc.exe 1496 vlc.exe 1496 vlc.exe 1496 vlc.exe 1496 vlc.exe 1496 vlc.exe 1496 vlc.exe 1496 vlc.exe 1496 vlc.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe -
Suspicious use of SendNotifyMessage 42 IoCs
pid Process 1496 vlc.exe 1496 vlc.exe 1496 vlc.exe 1496 vlc.exe 1496 vlc.exe 1496 vlc.exe 1496 vlc.exe 1496 vlc.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe 3352 taskmgr.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1496 vlc.exe 4776 mspaint.exe 4776 mspaint.exe 4776 mspaint.exe 4776 mspaint.exe 2384 mspaint.exe 3664 OpenWith.exe 4540 mspaint.exe 4800 OpenWith.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4372 wrote to memory of 1640 4372 rundll32.exe 81 PID 4372 wrote to memory of 1640 4372 rundll32.exe 81 PID 4372 wrote to memory of 1640 4372 rundll32.exe 81 PID 1640 wrote to memory of 4724 1640 rundll32.exe 82 PID 1640 wrote to memory of 4724 1640 rundll32.exe 82 PID 1640 wrote to memory of 4724 1640 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\95ae8e32eb8635e7eabe14ffbfaa777b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\95ae8e32eb8635e7eabe14ffbfaa777b.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4724
-
-
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4876
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SplitLock.mp4v"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1496
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnblockUnpublish.dib"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:4412
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RenameDisable.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2384
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:1564
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3664
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RenameDisable.jpg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4540
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4800
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3352
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5115b1d97402bc50dacb74ba73c7464d2
SHA1799abb0d4067ec605126cd40ce52949510a60cf7
SHA256a837de3df64de641ca48b50983dc072692e237a24197bcc0c080152c4ddc3c2b
SHA512910bf83e0c71df49d5c47cfd078d961ac5214fbcc14ed73052075f0e00e80bd942bc2fbb585630b630d78ac713d7a0dc899aa95a14f2554440f09c6119833bc4
-
Filesize
2.2MB
MD5115b1d97402bc50dacb74ba73c7464d2
SHA1799abb0d4067ec605126cd40ce52949510a60cf7
SHA256a837de3df64de641ca48b50983dc072692e237a24197bcc0c080152c4ddc3c2b
SHA512910bf83e0c71df49d5c47cfd078d961ac5214fbcc14ed73052075f0e00e80bd942bc2fbb585630b630d78ac713d7a0dc899aa95a14f2554440f09c6119833bc4
-
Filesize
2.2MB
MD5115b1d97402bc50dacb74ba73c7464d2
SHA1799abb0d4067ec605126cd40ce52949510a60cf7
SHA256a837de3df64de641ca48b50983dc072692e237a24197bcc0c080152c4ddc3c2b
SHA512910bf83e0c71df49d5c47cfd078d961ac5214fbcc14ed73052075f0e00e80bd942bc2fbb585630b630d78ac713d7a0dc899aa95a14f2554440f09c6119833bc4